URL: https://github.com/freeipa/freeipa/pull/546 Author: simo5 Title: #546: Store session cookie in a ccache option Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/546/head:pr546 git checkout pr546
From 77ba575a4400e3e27eb8278e8d9161e8ae33d0d4 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 18:47:56 -0500 Subject: [PATCH] Store session cookie in a ccache option Instead of using the kernel keyring, store the session cookie within the ccache. This way kdestroy will really wipe away all credentials. Ticket: https://pagure.io/freeipa/issue/6661 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipalib/rpc.py | 30 ++----- ipapython/session_storage.py | 193 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 201 insertions(+), 22 deletions(-) create mode 100644 ipapython/session_storage.py diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 8d1bba5..cf7765c 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -56,7 +56,7 @@ from ipalib.request import context, Connection from ipapython.ipa_log_manager import root_logger from ipapython import ipautil -from ipapython import kernel_keyring +from ipapython import session_storage from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ @@ -84,19 +84,11 @@ unicode = str COOKIE_NAME = 'ipa_session' -KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME +CCACHE_COOKIE_KEY_NAME = 'X-IPA-Session-Cookie' errors_by_code = dict((e.errno, e) for e in public_errors) -def client_session_keyring_keyname(principal): - ''' - Return the key name used for storing the client session data for - the given principal. - ''' - - return KEYRING_COOKIE_NAME % principal - def update_persistent_client_session_data(principal, data): ''' Given a principal create or update the session data for that @@ -106,13 +98,11 @@ def update_persistent_client_session_data(principal, data): ''' try: - keyname = client_session_keyring_keyname(principal) + s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME) + s.store_data(principal, data) except Exception as e: raise ValueError(str(e)) - # kernel_keyring only raises ValueError (why??) - kernel_keyring.update_key(keyname, data) - def read_persistent_client_session_data(principal): ''' Given a principal return the stored session data for that @@ -122,13 +112,11 @@ def read_persistent_client_session_data(principal): ''' try: - keyname = client_session_keyring_keyname(principal) + s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME) + return s.get_data(principal) except Exception as e: raise ValueError(str(e)) - # kernel_keyring only raises ValueError (why??) - return kernel_keyring.read_key(keyname) - def delete_persistent_client_session_data(principal): ''' Given a principal remove the session data for that @@ -138,13 +126,11 @@ def delete_persistent_client_session_data(principal): ''' try: - keyname = client_session_keyring_keyname(principal) + s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME) + s.remove_data(principal) except Exception as e: raise ValueError(str(e)) - # kernel_keyring only raises ValueError (why??) - kernel_keyring.del_key(keyname) - def xml_wrap(value, version): """ Wrap all ``str`` in ``xmlrpc.client.Binary``. diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py new file mode 100644 index 0000000..b997c80 --- /dev/null +++ b/ipapython/session_storage.py @@ -0,0 +1,193 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +import ctypes + + +try: + LIBKRB5 = ctypes.CDLL('libkrb5.so.3') +except OSError as e: # pragma: no cover + raise ImportError(str(e)) + + +class _krb5_context(ctypes.Structure): # noqa + """krb5/krb5.h struct _krb5_context""" + _fields_ = [] + + +class _krb5_ccache(ctypes.Structure): # noqa + """krb5/krb5.h struct _krb5_ccache""" + _fields_ = [] + + +class _krb5_data(ctypes.Structure): # noqa + """krb5/krb5.h struct _krb5_data""" + _fields_ = [ + ("magic", ctypes.c_int32), + ("length", ctypes.c_uint), + ("data", ctypes.c_char_p), + ] + + +class krb5_principal_data(ctypes.Structure): # noqa + """krb5/krb5.h struct krb5_principal_data""" + _fields_ = [] + + +class KRB5Error(Exception): + pass + + +def krb5_errcheck(result, func, arguments): + """Error checker for krb5_error return value""" + if result != 0: + raise KRB5Error(result, func.__name__, arguments) + + +krb5_principal = ctypes.POINTER(krb5_principal_data) +krb5_context = ctypes.POINTER(_krb5_context) +krb5_ccache = ctypes.POINTER(_krb5_ccache) +krb5_data_p = ctypes.POINTER(_krb5_data) +krb5_error = ctypes.c_int32 + +krb5_init_context = LIBKRB5.krb5_init_context +krb5_init_context.argtypes = (ctypes.POINTER(krb5_context), ) +krb5_init_context.restype = krb5_error +krb5_init_context.errcheck = krb5_errcheck + +krb5_free_context = LIBKRB5.krb5_free_context +krb5_free_context.argtypes = (krb5_context, ) +krb5_free_context.retval = None + +krb5_free_principal = LIBKRB5.krb5_free_principal +krb5_free_principal.argtypes = (krb5_context, krb5_principal) +krb5_free_principal.retval = None + +krb5_free_data_contents = LIBKRB5.krb5_free_data_contents +krb5_free_data_contents.argtypes = (krb5_context, krb5_data_p) +krb5_free_data_contents.retval = None + +krb5_cc_default = LIBKRB5.krb5_cc_default +krb5_cc_default.argtypes = (krb5_context, ctypes.POINTER(krb5_ccache), ) +krb5_cc_default.restype = krb5_error +krb5_cc_default.errcheck = krb5_errcheck + +krb5_cc_close = LIBKRB5.krb5_cc_close +krb5_cc_close.argtypes = (krb5_context, krb5_ccache, ) +krb5_cc_close.retval = krb5_error +krb5_cc_close.errcheck = krb5_errcheck + +krb5_parse_name = LIBKRB5.krb5_parse_name +krb5_parse_name.argtypes = (krb5_context, ctypes.c_char_p, + ctypes.POINTER(krb5_principal), ) +krb5_parse_name.retval = krb5_error +krb5_parse_name.errcheck = krb5_errcheck + +krb5_cc_set_config = LIBKRB5.krb5_cc_set_config +krb5_cc_set_config.argtypes = (krb5_context, krb5_ccache, krb5_principal, + ctypes.c_char_p, krb5_data_p, ) +krb5_cc_set_config.retval = krb5_error +krb5_cc_set_config.errcheck = krb5_errcheck + +krb5_cc_get_config = LIBKRB5.krb5_cc_get_config +krb5_cc_get_config.argtypes = (krb5_context, krb5_ccache, krb5_principal, + ctypes.c_char_p, krb5_data_p, ) +krb5_cc_get_config.retval = krb5_error +krb5_cc_get_config.errcheck = krb5_errcheck + + +class ccache_store(object): + def __init__(self, name='X-IPA-Session-Cookie'): + self.__context = None + context = krb5_context() + krb5_init_context(ctypes.byref(context)) + self.__context = context + + self._hidden_cred_name = name + + def __enter__(self): + return self + + def __exit__(self, type, value, traceback): + if self.__context: + krb5_free_context(self.__context) + self.__context = None + + def store_data(self, client, value): + """ + Stores the session cookie in a hidden ccache entry. + """ + principal = ccache = None + + try: + principal = krb5_principal() + krb5_parse_name(self.__context, ctypes.c_char_p(client), + ctypes.byref(principal)) + + ccache = krb5_ccache() + krb5_cc_default(self.__context, ctypes.byref(ccache)) + + buf = ctypes.create_string_buffer(value) + data = _krb5_data() + data.data = buf.value + data.length = len(buf) + krb5_cc_set_config(self.__context, ccache, principal, + self._hidden_cred_name, ctypes.byref(data)) + + finally: + if principal: + krb5_free_principal(self.__context, principal) + if ccache: + krb5_cc_close(self.__context, ccache) + + def get_data(self, client): + """ + Gets the session cookie in a hidden ccache entry. + """ + principal = ccache = data = None + + try: + principal = krb5_principal() + krb5_parse_name(self.__context, ctypes.c_char_p(client), + ctypes.byref(principal)) + + ccache = krb5_ccache() + krb5_cc_default(self.__context, ctypes.byref(ccache)) + + data = _krb5_data() + krb5_cc_get_config(self.__context, ccache, principal, + self._hidden_cred_name, ctypes.byref(data)) + + return str(data.data) + + finally: + if principal: + krb5_free_principal(self.__context, principal) + if ccache: + krb5_cc_close(self.__context, ccache) + if data: + krb5_free_data_contents(self.__context, data) + + def remove_data(self, client): + """ + Removes the hidden ccache entry with the session cookie. + """ + principal = ccache = None + + try: + principal = krb5_principal() + krb5_parse_name(self.__context, ctypes.c_char_p(client), + ctypes.byref(principal)) + + ccache = krb5_ccache() + krb5_cc_default(self.__context, ctypes.byref(ccache)) + + krb5_cc_set_config(self.__context, ccache, principal, + self._hidden_cred_name, None) + + finally: + if principal: + krb5_free_principal(self.__context, principal) + if ccache: + krb5_cc_close(self.__context, ccache)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code